Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 529
  • Last Modified:

Firewall & ICQ

Bastion host: FreeBSD & firewall(ipfw)
Q: How describe ICQ-ports in ipfw config for internet (w/external world) chat without ICQ server on bastion)
0
korzadze
Asked:
korzadze
  • 2
1 Solution
 
mzitoCommented:
On the client side, in ICQ, go into the Connections tab in the Preferences folder and select "Permanent LAN" and "I'm behind a proxy server/firewall." Then click on "Firewall Settings" and set ICQ to use a range of tcp ports (you set them, but it should be no fewer than 11 ports, like 3600 to 3610). Finally, reconnect to the ICQ network to apply the new settings.

Then, using ipfw, poke a hole in the firewall for that given range of tcp ports.  I haven't used ipfw in a while, so I can't remember the exact syntax, but check the man pages for the forwarding syntax.

One more thing: you have to set up each client with a separate range of tcp ports  (i.e. Client #1 has ports 3600-3615, client #2 has ports 3616-3631, etc.). Then just poke the hole in the firewall for the whole range of ports.  Hope this answers your question.

Best Wishes,
Matthew Zito
0
 
korzadzeAuthor Commented:
Sorry, but i don't know how describe establish connect for ICQ in terms ipwf, ie. establish, setup ... and protocols TCP, UDP or so. (novice in deal with Unix :-( )

From man on ipfw:
         established       Matches packets that have the RST or ACK bits set.
                                    TCP packets only.
         setup                 Matches packets that have the SYN bit set but no
                                    ACK bit.  TCP packets only.
0
 
mzitoCommented:
Oh, okay.  That's easy enough.  The simplest solution to your question is to not specify established or setup connections.  Here's the command line for what you're looking for  (I dragged out my old FreeBSD handbook):

       ipfw add allow ip from any to AAA.BBB.CCC.0/24 DDDD-EEEE
 
Where AAA.BBB.CCC.0/24 is your class C network
DDDD is the start port that you put into ICQ
EEEE is the final port you put into ICQ
The DDDD-EEEE port range should ideally be for all clients. (i.e. in the aforementioned example if Client #1 has 3000-3020, client #2 has 3021-3040, and client #3 has  3041-3060, your DDDD-EEEE would be 3000-3060.) That way, it's only one rule set  your kernel has to match against. The other w ay would be to add an entry for each client.  That syntax would be as follows:

ipfwadm add allow ip from any to AAA.BBB.CCC.FFF/32 DDDD-EEEE
In this case, AAA.BBB.CCC.FFF is a single ip address, which is why it is suffixed with /32.  I would reccommend a single rule, though, matching all clients.  That way, the kernel will only match the one rule instead of one rule for each client.  Hope this answered your question more thoroughly
0
 
mseidenCommented:
icq has both a proprietary protocol and proprietary code you
run on your desktop.  that protocol can be manipulated to install a back door on your machine.  for one example, see http://members.tripod.com/~hakz/ICQ/index.html, which claims
one such back door has been written capable of executing arbitrary commands on your desktop machine.

there have been a number of data-driven attacks on icq posted to various bug reporting lists.  i recommend to my clients that
icq not be allowed through firewalls until the protocol is
published and proxies are written that can handle it.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now